The Case For Detecting Lateral Movement
Two of the industry metrics that we have been paying attention to are 1) the percentage of organizations that don’t discover their own breaches but instead learn of them through a 3rd party (over half, according to FireEye) and 2) the average amount of time an adversary “dwells” in a network — also known as the “Breach Detection Gap” — before they are detected (most research points to over 100 days, on average).
The good news is that — in North America at least — dwell times are decreasing; the trend lines are moving in the right direction. The bad news is that even in 2018, most organizations don’t know when they’ve been breached, and adversaries are roaming around in networks unabated for weeks, sometimes months. The dwell time problem is understood and increasingly being discussed by practitioners, but solving it remains challenging.
Through the Poseidon Software Defined Networking (SDN) project, the Cyber Reboot team decided to explore lateral movement detection for two primary reasons: 1) it is a key component to most computer intrusions, and part of a bigger issue that remains a national security problem, and 2) we believe the application of machine learning and SDN presents new opportunities in detection. We still have some big questions to answer, but the journey has already forced us to think differently about a few things.
Re-examining the Cyber Kill Chain
You are probably familiar with the phrase “Cyber Kill Chain” or similarly, the “Cyber Attack Lifecycle.” (If not, there’s a good CSO article that’s worth a read here.) In short, both are broadly recognized models used to describe stages of an adversarial attack.
Few would argue that these can be useful models to consider when applied in the right contexts. When considering the full lifecycle of an attack though, Cyber Reboot has concluded that there are really three fundamental phases to most network intrusions:
1. A pre-compromise phase — This phase begins with a human who has a target and an objective (steal something, break something, learn something, etc.), continues with the deployment of infrastructure and tools required to execute an attack, and eventually leads to the reconnaissance of the target. We felt it important to call out that at the start of the whole cycle, there is indeed a human with a goal.
2. The actual compromise — This is the initial execution phase where an adversary executes the attack, breaches the target’s defenses, establishes a foothold, and sets up initial communication mechanism(s). Most of the commercial market has spent the last several decades attempting to prevent the successful execution of this phase.
3. A post-compromise phase — This phase includes the remaining steps needed to achieve the adversary’s objective; the further exploration of the network (from the inside), the identification of specific target systems or information, any “movement” required to reach that target, the collection of data, and the exfiltration of data or a desired “action” on the objective.
Put in a more visual way:
The simple reality is that most efforts — and dollars — have been spent on attempting to address the compromise phase. The rise of threat intelligence efforts have brought some newer possibilities for the pre-compromise phase, but there’s historically been less emphasis on the post-compromise phase. The Poseidon project explores the art of the possible in detecting — and ideally disrupting — post-compromise activities. Why do we bring this up, you ask?
The Cyber Reboot team continues to see evidence that broad scale SDN (Software Defined Networking) adoption is a matter of when, not if. As more and more networks become SDN-capable, the ability to monitor and collect on internal networks should become far easier. As anyone who has dealt with network intrusion detection system placements over the years will attest, deploying and collecting on network perimeters is one thing, but collecting from deep within the data center, on access switches, or at the workstations, is far more difficult. But that level of difficulty fundamentally changes if one has a network fabric that can be instrumented programmatically; port mirroring via API will become the new reality. This newfound agility could give us the ability to collect from anywhere and at any time. Can we use this ability to gather better data, explore new techniques, and ultimately try to detect adversaries before they reach their objectives?
The Poseidon project has been both a challenging and fascinating project for the team working on it. One part networking, one part cyber security, and one part data science, Poseidon brings together a number of disciplines that rarely intersect…but should. Over the coming weeks we are going to share many of the tools, observations, discoveries, and failures we’ve made along this journey. We hope you will find them as interesting as we do!
